- From: John Wong <gokoproject@gmail.com>
- Date: Wed, 30 Sep 2015 11:47:01 -0400
- To: Jonathan Kingston <jonathan@jooped.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Wednesday, 30 September 2015 15:47:29 UTC
On Wed, Sep 30, 2015 at 5:57 AM, Jonathan Kingston <jonathan@jooped.com>
wrote:
>
> The credential manager would also have the ability to inform users of
> applications using weak credentials for longer time periods than suggested.
>
>
> ---
>
> This might for example look like:
>
> navigator.credentials.get({ "password": true, credentialClass: 2 })
>
> A application would inform the credential manager what class of credential
> they require, this prevents the credential manager sending things that the
> app can't cope with however also prevents the site making bad choices.
>
>
This is where confuses me, and excuse if it is clear to others. How should
CM prevent the site from making bad choices?
I think the first part is like handshake where we exchange, negotiate and
agree upon something. But maybe we have to be careful with negotiation - if
WG says these are the only classes UA supports. At least there should be an
option in the browser to bypass the negotiation so it makes testing easy
(maybe I want to test weak password).
John
Received on Wednesday, 30 September 2015 15:47:29 UTC